The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure switchport blocking on the Cisco NX-OS device.
This chapter includes the following sections:
Occasionally, unknown multicast or unicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch. Security issues could arise if unknown multicast and unicast traffic is forwarded to a switch port. You can enable switchport blocking to guarantee that no multicast or unicast traffic is flooded to the port.
Switchport blocking has the following configuration guidelines and limitations:
Switchport blocking applies only to egress ports while traffic storm control applies only to ingress ports.
Switchport blocking is supported on all switched ports (including PVLAN ports) and is applied to all VLANs on which the port is forwarding.
Switchport blocking is not supported for FEX ports.
When you block unknown multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Switchport blocking does not offer levels of control. It prevents the flooding of all unknown egress multicast or unicast packets on the specified port.
Switchport blocking drops control packets that originate from the CPU on Cisco Nexus 9500 Series switches. It does not drop packets on Cisco Nexus 9300 Series switches.
This table lists the default settings for switchport blocking parameters.
|
Parameters |
Default |
|---|---|
|
Switchport blocking |
Disabled |
By default, the switch floods packets with unknown destination MAC addresses to all ports. To prevent the forwarding of such traffic, you can configure a port to block unknown multicast or unicast packets.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
interface {ethernet slot/port | port-channel number} Example: |
Enters interface configuration mode. |
|
Step 3 |
[no] switchport block {multicast | unicast} Example: |
Prevents the flooding of unknown multicast or unicast packets on the specified interface. Use the no form of this command to resume normal forwarding on the port. |
|
Step 4 |
(Optional) show interface [ethernet slot/port | port-channel number] switchport Example: |
(Optional)
Displays the switchport blocking configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
To display switchport blocking configuration information, perform one of the following tasks:
|
Command |
Purpose |
|---|---|
|
show interface switchport |
Displays the switchport blocking configuration for all interfaces. |
|
show interface {ethernet slot/port | port-channel number} switchport |
Displays the switchport blocking configuration for the specified interface. |
|
show running-config interface [ethernet slot/port | port-channel number] |
Displays the switchport blocking configuration in the running configuration. |
The following example shows how to block multicast and unicast flooding on Ethernet interface 1/2 and how to verify the configuration:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# switchport block multicast
switch(config-if)# switchport block unicast
switch(config-if)# show running-config interface ethernet 1/2
!Command: show running-config interface Ethernet1/2
!Time: Wed Apr 15 16:25:48 2015
version 79.2(1)
interface Ethernet1/2
switchport
switchport block multicast
switchport block unicast
Feedback